SSL – Why You Need it Now!

Back in January we blogged on the changes Google was making to how users interact with your website. Specifically, the role SSL was going to play in how your site ranked and what users will see. Google has been hinting since 2014 that HTTPS would play an important role in the future.

That future is now here. Google has been emailing those with access to Webmaster tools to switch to HTTPS. The fact that they are reaching out via Webmaster tools is an indication of the seriousness of this update.

As of the next Chrome update – Chrome 62 – pages with HTTP will be marked as “Not Secure”.

When a HTTP page loads a small warning sign will be added to the start of the URL. You have most likely seen this before, when browsing online. It comes in the form of an exclamation point inside a triangle.

However, with the Chrome 62 update, the moment users begin inputting data into a form – even a newsletter sign up – a new warning will be added.

Users will see a “Not Secure” warning appear beside the URL.

Future predictions see this changing to a bright red warning as Google further pushes this rollout.

While we aren’t at code red yet, we are getting close. In January Google was pushing for people to switch to HTTPS. 10 months later and we are now seeing the first direct consequences of staying with HTTP. This is a very quick change and it is not unreasonable to think that the large red warning is in the very near future.

It is really best to make the switch to HTTPS sooner, rather than later.

It is very likely that, based on whether you site has migrated to HTTPS or remains on HTTP it will begin to affect your organic ranking in Google, with Google and users giving preferences to websites that do not display the “Not Secure” warning.

In their own words, Google wants to make the internet safer for everyone. As such, they are making security a top priority by enforcing the use of HTTPS.

What is HTTPS?

HTTPS provides a secure connection between your website and your users, encrypting data so that it cannot intercept. Both sides of the “conversation” between the user’s computer and your website will need to send a key to allow the passage of data.

Enforcing this switch to HTTPS is actually pretty important. When we browse online, we assume that the actions we take are private between ourselves and the website.

However, on sites that are not HTTPS, that privacy can be very easily cracked. HTTPS protects the communication between a user and your website, while HTTP does not. HTTP leaves you, your website and your users vulnerable to any number of attacks.

Hacking HTTP – It’s A Little Too Easy

There are, unfortunately, many different ways to exploit the unsecure connections of the HTTP, resulting in a bad – or even dangerous – user experience. These can be broken down into three broad categories:

Intrusive Content Injections

An intrusive content injection occurs when intrusive companies – hotels and internet service providers, for example – inject advertising onto your website. While this doesn’t sound too bad, some of these advertisements can break elements of your website design, affecting the user experience.

Injected advertisements can also cause serious vulnerabilities that can be easily exploited by hackers. Using the vulnerabilities created by injected advertising, a hacker can add malware to your site or infect any user accessing your website. This has been seen with many popular sites – such as Photobucket – where advertising was a mule for some dangerous trojan viruses and ransomware.

Network Eavesdropping

This category is a little more insidious than simple intrusive content injections, and is a common exploit of HTTP. Network eavesdropping is an attack that focuses on capturing small packets of data from the network.

The data is then read in search of information. A hacker can read the uploaded information being passed from your site to your user, allowing them to steal the data.

Hackers use this data to track user information, activity and behaviours in order to reveal the identity of your users. This is one of the most common kinds of hacking and is actively used by black hat hackers.

Man-In-The-Middle Attacks

One of the worst – yet still uncomfortably common – methods of hacking. A man-in-the-middle attack uses network eavesdropping to spook – fake – a connection between your user and your website.

The hacker will then infiltrate the communication between your user and website, secretly, and alters the communication – without you or your user realising what is happening!

The hacker can then steal information sent to your website or user, as well as actively altering data. They can intercept the communication, alter it, and then send it on without anyone being the wiser.

Man-in-the-middle attacks inject inject malware, trojans, ransomware and a – as well as steal identities and credit card information.

HTTPS to the Rescue!

HTTPS, however, stops these kinds of exploits from happening. There is a layer of security to HTTPS called Transport Layer Security (TLS) that requires either the user, your website, or both to authenticate that connection before any form of communications begin.

Because man-in-the-middle attacks rely on a hacker being able to completely impersonate both sides of the conversation, HTTPS stops them being able to impersonate your website, the user, or both. It stops anyone eavesdropping on your data – or the data of your user – so it cannot be dangerously modified.

HTTPS authentication proves that users are only communicating with the website in question and no one else. It builds user trust which will ultimately translate into bigger business benefits. People are far more likely to visit your website if it is safe. And based on their roll out of this warning system, it is not unreasonable to assume that ranking penalties for HTTP sites are not too far behind. Already we are seeing a slight boost in rankings for sites that have switched to HTTPS.

It is incredibly important you make the switch sooner, rather than later. Please contact BSO Digital today to discuss your move from HTTP to HTTPS.